ASP.NET shared hosting security and performance for ecommerce aplications - asp.net

Is there any disadvantage on using shared hosting in general (of discountasp.net) for an ecommerce website? security concerns or performance? The site is new and we dont expect many visitors right now, we have at least 30 products.
I am using my own shopping cart, user accounts (Membership provider), credit card processor (paypal), my own CMS, in C# ASP.NET 4.0 webforms and SQL Server 2008.
I dont save credit card information in the database, my system only create an account for users who buy something in the checkout process, and we need only processing power on some paypal apis only in checkout (very low cpu usage I guess).
My website is optimized client-side and server-side, I have the XSS security enabled of ASP and the AntiXSS library of Microsoft in all inputs/outputs (forms, cookies, http headers, query strings and even websevices), stored procedures, parameterized queries to avoid sql injection, SSL connections, anti spam, compiled and obfuscated dlls, encripted web.config, etc...
I am missing something? thanks, and sorry for my bad english

Just to give you a quick answer:
Yes, there are problems. Plenty of them.
Performance is always (typically) worse on shared than on dedicated. Someone might be using all the IO and you get bottlenecked.
Security, as you can't manage the server you have no way of knowing if it's patched, hardeneded etc. If one of the thousand other people on the same shared server manages to exploit it you're done. However, one could argue that if you don't know how to secure a dedicated server it might be better to rely on the shared hosting providers experience.
Also, you have to trust the shared hosting provider not to steal your data etc.
One other thing is that if something crashes you have to wait for the provider to fix it rather then just do it yourserlf. Again, if you don't know how to fix it, it might be better to wait for the provider anyway..
All and all, for your site in the beginning I would go with shared hosting and move up to VPS as soon as you start generating some money on the site.

Related

Add users for ASP.NET Core from internal website

Sorry no code here because I am looking for a better idea or if I am on the right track?
I have two websites, lets call them A and B.
A is a website exposed to the internet and only users with valid account can access.
B is a internal (intranet) website with (Windows authentication using Active directory). I want Application B (intranet) to create users for Application A.
Application A is using the inbuilt ASP.NET JWT token authentication.
My idea is to expose a Api on the extranet website (A) and let (B) access this API. I can use CORS to make sure only (B) has access to the end point but I am not sure if this is a good enough protection? We will perform security penetrations test from a third party company so this might fail the security test?
Or
I can use entity framework to a update the AspnetUsers table manually. Not idea if this is feasible or the right way or doing things.
Any other solution?
In my opinion, don't expose your internal obligations with external solutions like implementing APIs etc ...
Just share the database to be accessible for B. In this way, the server administration is the only security concern and nobody knows how you work. In addition, It's not important how you implement the user authentication for each one (whether Windows Authentication or JWT) and has an independent infrastructure.
They are multiple solution to this one problem. It then end it really depends on your specific criteria.
You could go with:
B (intranet) website, reaching into the database and creating user as needed.
A (internet) website, having an API exposing the necessary endpoint to create user.
A (internet) website, having data migration running every now and then to insert users.
But they all comes with there ups and downs, I'll try to break them down for you.
API solution
Ups:
Single responsibility, you have only one piece of code touching this database which makes it easier to mitigate side effect
it is "future proof" you could easily have more services using this api.
Downs:
Attack surface increased, the API is on a public so subject to 3rd parties trying to play with it.
Maintain API as the database model changes (one more piece to maintain)
Not the fastest solution to implement.
Database direct access
Ups:
Attack surface minimal.
Very quick to develop
Downs:
Database model has to be maintained twice
migration + deployment have to be coordinated, hard to maintain.
Make the system more error prone.
Migration on release
Ups:
Cheapest to develop
Highest performance on inserts
Downs:
Not flexible
Very slow for user
Many deployment
Manual work (will be costly over time)
In my opinion I suggest you go for the API, secure the API access with OAuth mechanism. It OAuth is too time consuming to put in place. Maybe you can try some easier Auth protocols.

ASP.NET Web App, WCF Services and Database hosting

I have a general question about database hosting in relation to WCF and ASP.NET. We are currently developing a new online web application in ASP.NET, which gets/posts data to our MSSQL database with a WCF service (three tier infrastructure).
Now later in development we will be launching our website and hosting it on an external provider. We are unsure whether to keep the database for the website internally on our own servers, or host it externally along with our provider (they offer database hosting options as well).
If we hosted it externally, we would obviously back it up internally using batch scripts etc.
One major concern is the security of the database, as we are only a small business with not much experience in web security architecture. Due to this, we are leaning towards an external provider for both the website and database, who would obviously have experience and the equipment to manage such things.
Could you please offer some opinions on the matter?
Thanks!
There's always a risk associated with handing sensitive data off to an outside party, and trusting them to be as secure as you need.
There's no mystery here, someone at the provider will have enough access to look at your data if they really wanted to. So it all boils down to how sensitive is your data? Is there bank account info or social security numbers? For these reasons, our company cannot hand off such data to an outside party.
I'm a little confused though about one thing: if you could potentially host the database server when you go to production, why couldn't you host the website as well? Is it a matter of being able to handle high traffic?
Update in response to your comment:
It sounds like your data is somewhat sensitive, not highly sensitive. In which case if we're not being totally bonkers pedantic here, then you can reasonably assume a reputable hosting company will take the proper measures to secure your data, and from the sounds of it, they're probably more capable in this respect then your own company (not because you're careless or wet behind the ears, just because they would have considerable experience in this area where your company does not).
Now for the performance and hardware setup part if your comment... if you dont have the hardware or network infrastructure to meet your requirements, then you either a) upgrade your own infrastructure and hire the appropriate personnel to set it up and maintain it or b) you pay someone else to do it. Sounds like a no-brainer for you guys to go with option b.

VB stand alone application or ASP web application

I have experience developing software and web applications and I have decided to do some freelance work on the side. Well, I met with my first client and they are requesting a relatively simple, custom system that (without being long winded) tracks client’s paperwork as it progresses through the business’s different manual processes. It is a small business that has about 10 employees, but all of the employees will interact with the client’s paperwork, therefore everyone would need access to the new system. When I say ‘track’ I literally mean that the employees will ‘check as complete’ on a simple page the increases a progress bar at different stages for the paperwork. Now I am %110 capable of coding the custom system that meets their needs, but I am unsure about how I should go about doing it.
The information that is being tracked in the new system and stored in the DB is confidential information that they are very protective of. My main question is how should I be developing this to be as secure as I can?
-They have their own server in house, so should I develop an application (VB and SQL) for the server and require employees to log on remotely to use it? Can more than one person access/use the application at a time?
-Or should I develop a web application (ASP.Net/VB and SQL) that is only accessible on their network to their employees? They plan to expand offices, could they set up a VPN to access the site?
I’m leaning towards a web application, but I have not done too much in term of security. Basically I’m looking for pros and cons for either option or any suggestions on what I should.
PS, stackoverflow is awesome! Long time user, first time poster!
If you want to develop using vb & sql you have to consider that:
You need to have real ip
Your system will communicate threw certain port and you have to handle the security measure for letting certain port opened in your server.
You should have good knowledge in network programming
If you want to develop using asp.net you have to consider that:
in case only office employees will use the system, you can develop against users in Active Directory and for outside users with username and password with SSL connection or vpn
for preventing more than one person access the file you can simply add column 'locked' in case file is being used.
Well im not a web fan (I suck) ive seen too many security issues go with it...i.e Lulzsec, but i do very much love VB apps.
So I would definetely recommend a VB app connected to a MSSQL database (coz it's easy to configure and havent seen any security exploits yet),my Chinese friend told me there is a way to access MySQL free databases.Now, allow remote access but make sure your Windows Firewall is also configured properly do look at all angles of security.
If I remember well there is an option in MSSQL to specify the IP addresses or is it MAC addresses that can access the DB so maybe input all of the 10 employees' IP addresses assuming they are static,if they are dynamic (DHCP) don't bother. And ask them to make the IP address of the server where you will host the DB on static.
If only 10 employees use the DB then limit the connections to 10. For now develop this when it comes to VPN you can make a Remote version of the App im sure that will come later right now focus on the basics. Also use Dotfuscator when you are publishing the app I heard it is very good.N also im suggesting the document/work order is received at the reception so that user will check in the document with specifics...if they are passing on the work order to the next user they should select the user and then THAT user may enter some sort of verification code unique to the user...im sure you can envision the rest from here. Now do I also get a cut from this?lol
I've been doing the same for years now, and I always take the website side, this days I go width ASP.NET MVC 4, it's easier, everything in their place and extremely easier to test and maintain.
The web application has a very big advantage to any standalone windows application, you deploy and upgrade only one application instead to maintain all the different versions once you start deploying windows apps, and they are harder to debug once you start to having different machines with different versions and so on...
so, Web or Win app = Web app, always!
All you need is a server that run IIS and set it up for using Active Directory (Visual Studio has that project already, simply create an ASP.NET MVC and choose the "intranet" template), it will set up everything for you, and all you need later is tweak the Active Directory connection string.
I also use a self-signed SSL to protect data between client and server, as I also make the apps available outside the office without VPN needed, as long as they login with their secure AD credentials.
And... audit everything into a secondary database, every action performed by a user since they login until they logout, every view, update or creating data witch .NET makes it simple if you create your Logging method to simple log messages and Stack messages on errors.
This will greatly benefit your employer and you when something goes wrong.
I would say to go with web application. Advantage using web application is, if they want to expand bussiness .. same can you do with you WebApp. But choose .Net over VB, going with latest techonology will help you resolve current challanges.

How to hide my data stored in database from domain administrator of web server?

I want to make a secure website using ASP.NET, but when I publish it, the domain administrator can see all the data stored in my database (SQL Server). I want to hide my data and code from the domain administrator too. Are there any procedures to do that? Please give me the address of a good domain I can use, which will give me all administrative power of my website (Domain owner also cannot access my databases and files.) Thanks for your suggestion.
Have you looked at: SQL Server 2008 Transparent Data Encryption?
Also:
SQL Server 2008 Transparent Data Encryption
Understanding Transparent Data Encryption (TDE)
Have you considered using a Virtual Private Server? I believe with a VPS you should be able to have complete control over who has access to what at the operating system level.
You can encrypt data, but there's no way to protect code (especially not web-facing code), but frankly the question doesn't make sense - if you have trust issues with someone you have an implicit trust relationship with then you need to find a different provider.
If you don't trust anyone (personal psychology not withstanding) you need to host it yourself.
Addendum: look at it from the other way round, why would you host something for someone without being able to inspect it for security and even legal concerns?
If you want total security there's quite a few things you need to implement:
As others have said you need physical encryption of your database. Merely blocking them from accessing the database is not enough because they have access to the physical database files and can use tools on them to access the data directly.
You will want to use web.config encryption
Walkthrough: Encrypting Configuration Information Using Protected Configuration
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
This is rather questionable security however since it requires a key container to be installed upon the server it would be arguably achievable for a nefarious administration to copy your key and then use it to manually decrypt your web.config. To protect yourself further than that you would need to create a secured web service (secured both for message transport, SSL, and secured message that the content itself is encrypted inside the SSL transport tunnel, see WCF services security) that your application constantly talks to for protected data like the login users for the sql server database and then apply rotating passwords to make it if they intercepted one password that it might not be valid anymore if it's been rotated.
After this point you will need to use source code protection that includes decompilation protection and code obfuscation. This will add a layer of protection from prohibiting viewing the source of your application directly for information about how else you protect your application (this will only go so far to stop a sophisticated cracker though).
All in all at this point you've achieved nearly the highest level of code/data security you can inside a hosted environment but this goes back to the core problem. If you have concerns that the system operator is nefarious then all of these protections even can still be beaten if the admin is skilled enough and has enough motivation to do it.
If you need protection above and behind this you would really want to look at colocation hosting or at the very least dedicated server hosting that would allow you to apply encryption at the operating system level as this protects you from the most effective brute strength attacks which involve just ripping out hard drives from a machine and spraying ram with air duster upside down to freeze it and then attempt to steal encryption keys from the ram itself disconnected from the server.
Having security that makes you immune (or nearly immune) to this kind of attack basically requires using TrueCrypt for native encryption of your file system where you do not have it cache the keys/key files in memory. At this point the only last part of security left is to host at a reputable data center like ThePlanet or Rackspace that has 24/7 electronic surveillance that it would be nearly impossible for a nefarious employee to be able to compromise your server without video recordings of it occuring.
Remove the BUILTIN\Administrators group from the sysadmin role - obviously this can only be done by a server admin, but in a proper environment, it is possible for domain admins to only be able to maintain servers nad not see data.
In 2008, the default is to not include this.
As for code, you can obfuscate your DLLs, but there is no complete way to hide code from someone who can access the filesystem.
You won't be able to hide the source code, but you do have some options to make it less inviting to admins:
obfuscate - deter people from knowing what is happening syntactically. While they can follow the code and eventually figure it out (if they want), it requires more effort. After all, with enough effort and know-how, anything can be cracked.
encrypt - because the web page needs to be decrypted by the server, the server needs to have a key to decrypt it. This key needs to be stored in a file that the server (and thus admin) has access to. Using some obfuscation, you can try and hide this (again), but any places there is a symmetric encryption, a superuser has the ability to get at it.
Note:
Any time something is encrypted, it will most likely require a decrypt to use/view. The process will be a negative performance impact.
When things are encrypted, especially from an admin perspective, it is essentially an invitation calling for alarm; it creates curiosity. If it's data, that's one thing, but code should not need to be encrypted where there is trust. It's like saying that you have something you want to hide, generally meaning something "bad" that you don't want found out.

How to implement copy protection in website product?

My company has a website product (ASP.NET) which is sold to customers. It means we don't host the website. They install it on their server and run it in the intranet.
I need to implement some sort of copy protection mechanism so that not everyone ends up installing the website. It has following aspects:
It has to be completely software based (no dongles).
Hiding usage information in registry or some folder in c:\ (basically outside virtual directory) is not an option for a website
Please can you suggest any scheme/method?
One suggestion is to use some kind of web service running, of course you need to have a main server to do so. In this server you can have some of your clients servers data (IP of the authorized servers, CPU and Motherboard ID's, and other important data).
This web service has to run some important logic of the program and return a value to the authorized servers. If the data of autorization sent by the client doesn't match, the server do will not execute the routine.
Of course I assume that this side of the logic is included in a DLL in the application and not in plain code.
A technique that worked well for a buddy of mine was to install a web bug on an administrative page which would report back to their server. You can monitor when and where the application is installed. It could be easily removed, but won't by most customers.
Simple, easy to do, and works relatively well.
Something you could try. Compile binaries for each client, obfuscate the code, lock the site down to a single domain. If its an internal app the domain might be something like "productname.clientname.internal". The app checks the domain of all the incoming requests, refuses anything that doesn't match.
As already pointed out by jeffamaphone: people will find ways around it, but it's enough to 'slow down' those not super determined.
[disclaimer]I sell the product I am recommending.[/disclaimer]
Take a look at DeployLX. You can add licensing to your web based application to require one of a couple different options.
Hardware based locking so it can only be used on one machine.
Domain based locking so it's tied to a specific domain name.
IP based locking to tie it to an IP address.
License server locking to that your app checks in periodically with a centralized web service.
It's pretty flexible and should let you create a balance between protection and not frustrating your users.

Resources